<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Client Side Filtering</title>
<link rel="stylesheet" type="text/css" href="formate.css">
</head>
<body>
<p><b>Lesson Plan Title:</b> Client Side Filtering</p>

<p><b>Concept / Topic To Teach:</b><br/>
It is always a good practice to send to the client 
only information which they are supposed to have access to. 
In this lesson, too much information is being sent to the 
client, creating a serious access control problem.
</p> 

<p><b>General Goal(s):</b><br/>
For this exercise, your mission is exploit the extraneous 
information being returned by the server to discover information 
to which you should not have access. 
</p>

<b>Solution:</b><br/>
<p>
This Lab consists of two Stages. In the first Stage you have to 
get sensitive information . In the second one you have to fix the problem.<br/>
</p>
<b>Stage 1</b>
<p>
Use Firebug to solve this stage. If you are using IE you can try it with 
IEWatch.</p>

First use any person from the list and see what you get. After doing this you 
can search for a specific person in Firebug. Make sure you find the hidden table with
the information, including the salary and so on. In the same table you will find
Neville.

<img src="ClientSideFiltering_files/clientside_firebug.jpg" alt="Clientside Filtering" /><br>
<font size="2"><b>Inspect HTML on Firebug</b></font>

<p>
Now write the salary into the text edit box and submit your answer!
</p>
<b>Stage 2</b>
<p>
In this stage you have to modify the clientSideFiltering.jsp which you will find under 
the WebContent in the lessons/Ajax folder. The Problem is that
the server sends all information to the client. As you could see
even if it is hidden it is easy to find the sensitive date. In this
stage you will add a filter to the XPath queries. In this file you will find 
following construct:<br><br></p>
<code>
	StringBuffer sb = new StringBuffer();<br>
	
	sb.append("/Employees/Employee/UserID | ");<br>
	sb.append("/Employees/Employee/FirstName | ");<br>
	sb.append("/Employees/Employee/LastName | ");<br>
	sb.append("/Employees/Employee/SSN | ");<br>
	sb.append("/Employees/Employee/Salary ");<br>
	
	String expression = sb.toString();<br>
</code>
<p>
This string will be used for the XPath query. You have to guarantee that a manger only 
can see employees which are working for him. To archive this you can use
filters in XPath. Following code will exactly do this:</p>
<code>
	StringBuffer sb = new StringBuffer();<br>
	
	sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/UserID | ");<br>
	sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/FirstName | ");<br>
	sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/LastName | ");<br>
	sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/SSN | ");<br>
	sb.append("/Employees/Employee[Managers/Manager/text() = " + userId + "]/Salary ");<br>
	
	String expression = sb.toString();<br>
</code>
<p>
Now only information is sent to your client you are authorized for. You can click on the button.
</p>

</body>
</html>